Privacy Policy — Odyssey Cortex

1 Introduction

Odyssey Capital ("Company", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information when you use the Odyssey Cortex platform ("the Platform").

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.

This Privacy Policy applies to all users of the Platform, including administrators, team members, and any individuals whose data is processed through the Platform by our customers.

2 Data Controller

Odyssey Capital acts as the data controller for the personal data of Platform users (account holders, administrators, team members). For contact and lead data that our customers input into the Platform, Odyssey Capital acts as a data processor, processing data on behalf of our customers who are the data controllers.

Data Controller: Odyssey Capital
Email: privacy@odyssey-cap.com
Website: odyssey-cap.com

3 Data We Collect

3.1 Account Information

When you register for or use the Platform, we collect:

Data Type	Examples	Purpose
Identity Data	Full name, username, profile photo	Account creation & identification
Contact Data	Email address, phone number	Communication & authentication
Organization Data	Company name, role, team structure	Tenant setup & access control
Authentication Data	Hashed passwords, session tokens	Secure account access

3.2 Business Data

Data you store and manage through the Platform:

Contacts, leads, and customer information
Companies and organization records
Deals, pipelines, and sales data
Communication history (emails, WhatsApp messages, call logs)
Notes, tasks, and calendar events
Documents and file attachments

3.3 Usage Data

We automatically collect information about how you interact with the Platform:

Log data (IP address, browser type, operating system, referring URLs)
Feature usage patterns and click behavior
Session duration and frequency of use
Error logs and performance data

3.4 Communication Data

When you use the Platform's communication features:

Email content, metadata, and tracking data (open/click events)
WhatsApp message content and delivery status
Voice call recordings (when enabled), call duration, and metadata

4 How We Collect Data

We collect data through the following methods:

Direct input: Information you provide when registering, configuring your account, or entering data into the Platform.
Automated collection: Cookies, server logs, and analytics tools that capture usage data when you interact with the Platform.
Third-party integrations: Data received from connected services such as email providers (IMAP), WhatsApp Business API, and VoIP systems.
AI processing: Data generated by AI features, such as email classifications, sentiment analysis, and automated summaries.

5 Purpose of Processing

We process your data for the following purposes:

Purpose	Description
Service Delivery	Providing, maintaining, and improving the Platform's features and functionality.
Authentication & Security	Verifying your identity, managing sessions, and protecting against unauthorized access.
Communication	Sending service-related notifications, updates, and support responses.
AI & Automation	Powering AI features such as email composition, data classification, and predictive analytics.
Analytics	Understanding usage patterns to improve user experience and Platform performance.
Legal Compliance	Meeting legal obligations, responding to lawful requests, and enforcing our Terms of Service.

6 Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contractual Necessity: Processing required to fulfill our obligations under the Terms of Service and subscription agreement.
Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Platform, ensuring security, and fraud prevention, provided these interests do not override your fundamental rights.
Consent: Where you have given explicit consent, such as for marketing communications or optional AI features. You may withdraw consent at any time.
Legal Obligation: Processing required to comply with applicable laws and regulations.

7 Data Sharing & Third Parties

We do not sell your personal data to third parties. We only share data as described below.

7.1 Service Providers

We share data with trusted service providers who assist in operating the Platform:

Cloud infrastructure: Hosting and data storage providers with appropriate security certifications.
AI service providers: Language model APIs (e.g., OpenAI, Anthropic) for AI-powered features — data is sent only as needed and is governed by data processing agreements.
Communication providers: Meta (WhatsApp Business API), email infrastructure providers, and SIP/VoIP telephony providers.
Analytics tools: For aggregated usage analytics (e.g., Google Analytics).

7.2 At Your Direction

We may share data when you explicitly enable integrations, such as connecting your email account, configuring WhatsApp, or using third-party tools through the Platform.

7.3 Legal Requirements

We may disclose data if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

8 AI & Automated Processing

The Platform uses artificial intelligence for various features. Important information about AI data processing:

Data sent to AI providers: When you use AI features, relevant data (e.g., email content for composition, contact data for classification) is sent to third-party AI providers. We minimize the data sent and do not include unnecessary personal information.
No model training: Your data is not used to train AI models. We use API-based services where your data is processed for inference only and is not retained by the AI provider for training purposes.
Automated decisions: AI may classify emails, score leads, or suggest actions. These automated processes do not make legally binding decisions without human review. You always have the ability to override AI-generated outcomes.
Opt-out: You can disable specific AI features through your account settings if you prefer not to have your data processed by AI services.

9 Data Retention

We retain your data for as long as necessary to provide the Platform's services and fulfill the purposes outlined in this Policy:

Data Category	Retention Period
Account information	Duration of account + 30 days after deletion
Business data (CRM records)	Duration of account + 30 days for export
Communication logs	Duration of account + 30 days
Call recordings	As configured by tenant (default: 90 days)
Usage logs & analytics	12 months (anonymized after)
Server & error logs	90 days

Upon account termination, you have 30 days to request a full export of your data. After this period, your data is permanently and irreversibly deleted from all active systems. Backup copies may persist for up to an additional 30 days before being purged.

10 Data Security

We implement comprehensive security measures to protect your data:

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Access controls: Role-based access control (RBAC) ensures users can only access data relevant to their role.
Multi-tenancy isolation: Each tenant's data is logically isolated to prevent cross-tenant data access.
Authentication security: Passwords are hashed using industry-standard algorithms. Sessions are managed with secure tokens.
Infrastructure: The Platform is hosted on enterprise-grade infrastructure with regular security audits and monitoring.
Incident response: We maintain an incident response plan. In the event of a data breach, affected users will be notified within 72 hours as required by applicable law.

While we implement robust security measures, no method of transmission or storage is 100% secure. We encourage you to use strong passwords and protect your login credentials.

11 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to Restriction: Request limitation of processing of your personal data in certain circumstances.
Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: File a complaint with a supervisory authority if you believe your rights have been violated.

To exercise any of these rights, please contact us at privacy@odyssey-cap.com. We will respond to your request within 30 days.

11.1 KVKK (Turkish Data Protection)

For users in Turkey, your data is processed in compliance with the Turkish Personal Data Protection Law No. 6698 (KVKK). You have the right to:

Learn whether your personal data is being processed.
Request information about processing activities.
Learn the purpose and whether data is used in accordance with that purpose.
Know the third parties to whom data is transferred.
Request correction or deletion of personal data.
Object to automated decision-making.
Request compensation for damages arising from unlawful processing.

12 Cookies & Tracking

The Platform uses cookies and similar technologies:

Cookie Type	Purpose	Duration
Essential	Authentication, session management, CSRF protection	Session / 2 hours
Functional	Language preferences, UI settings	1 year
Analytics	Usage statistics, performance monitoring	12 months

Essential cookies are necessary for the Platform to function and cannot be disabled. You can manage non-essential cookies through your browser settings.

12.1 Email Tracking

When you send emails through the Platform, we may include tracking pixels to detect email opens and link clicks. This tracking is performed on behalf of the sending user and is subject to their compliance with applicable email marketing laws.

13 International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including countries where our servers, service providers, or AI processing partners are located. When transferring data internationally, we ensure appropriate safeguards are in place:

Standard contractual clauses (SCCs) or equivalent legal mechanisms.
Data processing agreements with all third-party providers.
Verification that receiving countries provide adequate data protection or that additional safeguards are implemented.

14 Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental or guardian consent, please contact us at privacy@odyssey-cap.com, and we will take steps to delete such information.

15 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Last updated" date at the top of this Policy.
We will notify you via email or through a prominent notice on the Platform for significant changes.
We will provide at least 30 days' notice before material changes take effect.

We encourage you to review this Policy periodically to stay informed about how we protect your data.

16 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Odyssey Capital — Data Privacy

Privacy Inquiries: privacy@odyssey-cap.com

General: legal@odyssey-cap.com

Website: odyssey-cap.com

We aim to respond to all privacy-related inquiries within 30 days of receipt.